Controlling access to an exponentially growing array of data by an increasing number of users represents one of the greatest challenges facing the future of the Internet. Access control and privilege management, no matter the form, presents a cumbersome issue for all types of businesses employing the Internet. Typically, administration tools for access control focus only on the identity of accessors and associated policies, without allowing for massively scalable or sufficiently granular levels of information management. Further, access control administration tools generally require that the user have a high level of expertise.
For instance, it might be necessary in the future to deal with millions of objects, manipulating carefully chosen subgroups of typically less than fifty objects in parallel. The usability of the methods that select these subgroups and manipulate them in parallel may be critical to the viability of the overall project and processes.
The amount of data and resources in the next-generation Internet is expected to increase massively, and the complexity of managing those resources will likewise increase. What is needed is a way to manage the complexity of a large number of resources.
Requests for system resources via the Internet must include contextual information, such as the identity of the user and the resources being requested, for proper adjudication of access control. System resources can be organized using “attributes and values.” Name spaces for the resources can often be created using “attributes and values”, and each resource name space (“resource key”) is associated with specific or general access rules (“entitlement expression” or “eexpression”). Together, they form a policy. As used from this point forward, the term “resources” refers to the resource key rather than the actual resource that might be a piece of data contained in a database, a function in an application, or a hardware resource, such as opening a lock on a door.
Associating the “attributes and values” referred to above with requested resources represents a considerable system management issue. Resources can be organized as groups that are generated, used and manipulated together, which are called “templates.”The templates are used to manage resource keys and their associated entitlement expressions. A health record, for example, may be separated into several distinct resources to be protected by different policies (e.g., healthrecord.patientxyz.contactinfo may have a very different access privilege/eexpression than healthrecord.patientxyz.HIVtestresult). A template can group these resources, and instantiate policies (resource keys and eexpressions) for all the patient's health record, and manage “health records” at a meta level, rather than dealing with each individual's specific record and specific resources in that record, yet allowing exceptions and unique access privileges for specific resources in specific patient's health records.
“Attributes and values” and templates are independent. Each may be useful in operation both separately and in combination. It is somewhat analogous to sorting a hand of cards: one could sort by suit or by value. If one sorts by suit, one could still sort by value within the suit. In a similar way, over a much larger universe of objects, it is useful to be able to select and manipulate based on attributes and values, and it is also useful to be able to select and manipulate based on templates. It can be useful to use both, particularly when the number of objects is high and the relationships are complex. What is needed is a way to associate and embed attributes and values with resources.
Most people using the Internet are not computer programmers. The problems unsophisticated computers users encounter are exacerbated when the number of objects is large. Access control alone requires complex programs to adjudicate users' attempts to log onto a computer or network. As the number of objects stored on a system increases, the complexity of this adjudication also increases. What is needed is a way to manage the complexity of access control to a large number of objects.
Creating, modifying and deleting groups of related resources can be very complex and inefficient. Systems can use templates to efficiently and reliably create and otherwise control groups of related resources. Additionally, systems can use attributes and groups for this purpose, with or without the use of templates. What is needed is a way to efficiently create, modify, and delete groups of related resources with similar access control needs in a single operation, such as using templates, with or without attributes and groups, or else using attribute and groups alone.